Palo Alto DNS Proxy Rule for Reverse DNS

I am using the DNS Proxy on a Palo Alto Networks firewall for some user subnets. Beside the default/primary DNS server it can be configured with proxy rules (sometimes called conditional forwarding) which I am using for reverse DNS lookups, i.e., PTR records, that are answered by a BIND DNS server. While it is easy and well-known to configure the legacy IP (IPv4) reverse records, the IPv6 ones are slightly more difficult. Fortunately there are some good tools on the Internet to help reversing IPv6 addresses.

I am using a PA-200 with PAN-OS 7.1.2. The BIND server runs on a Ubuntu 12.04.5 LTS with BIND version 9.8.1-P1. For some general information about DNS reverse lookups, use this Wikipedia article. Similar for the notation of IPv6 address in the DNS.

DNS Proxy Rule

This is the configuration of my DNS Proxy with one proxy rule for the reverse lookups. Note that the connections from the Palo Alto to the DNS servers are established via IPv6 though the bulk of DNS lookups is still IPv4 (A records).

These are the four “domain names” I configured. The first three are the well-known legacy IP reverse zones (RFC1918) while the last one is my /48 global unicast IPv6 subnet.

1

2

3

4

*.168.192.in-addr.arpa

*.16.172.in-addr.arpa

*.10.in-addr.arpa

*.2.1.0.6.1.5.0.0.3.0.0.2.ip6.arpa

Now all DNS queries are primarily sent to DNS server at 2003:51:6012:120::a08:53, while the reverse DNS (rDNS) lookups are sent to 2003:51:6012:120::11.

BIND Zone

I am using a BIND server for my reverse zones. I am using this tool to generate the IPv6 zone file as well as this for further IPv6 PTR records. These are two of the four zones configured within the “named.conf.local” configuration file:

1

2

3

4

5

6

7

8

9

zone"168.192.in-addr.arpa"{

typemaster;

file"/etc/bind/db.168.192";

};

zone"2.1.0.6.1.5.0.0.3.0.0.2.ip6.arpa"{

typemaster;

file"/etc/bind/db.2.1.0.6.1.5.0.0.3.0.0.2";

};

And this is part of my /48 zone for IPv6 PTR records, generated with the tool just mentioned:

Test ‘n Wireshark

This is a basic test from a Windows 7 client behind one of the user subnets on the Palo Alto. It uses the IPv4 address of the Palo Alto layer 3 interface (192.168.125.1) for DNS queries. I tested a normal DNS name
blog.webernetz.net as well as a private/RFC1918 IPv4 address
192.168.100.0 . (Yes, in this case the *.0 IPv4 address is not the network address but a real address.)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

C:\Users\weberjoh>nslookup

Standardserver:pa-user.webernetz.net

Address:192.168.125.1

>blog.webernetz.net

Server:pa-user.webernetz.net

Address:192.168.125.1

Nicht autorisierende Antwort:

Name:blog.webernetz.net

Addresses:2a01:488:42:1000:50ed:8588:8a:c570

80.237.133.136

>

>

>192.168.100.0

Server:pa-user.webernetz.net

Address:192.168.125.1

Name:nc-client-0.webernetz.net

Address:192.168.100.0

>

>

Captured on the Palo Alto (Monitor -> Packet Capture), these are two screenshots from Wireshark that show the connections to the different DNS servers for the different use cases. In any case, the queries from the Palo Alto are made from the appropriate layer 3 interfaces with the corresponding IPv6 addresses, in my case 2003:51:6012:125::1, etc.:

DNS queries from the DNS Proxy to the primary DNS server.

Queries to the reverse DNS server with only certain PTR records.

Some Notes

Also note that during some configuration changes (commits) on the Palo Alto, the DNS proxy was not working anymore at all! The only way to bring it back to life was to restart the process from the CLI on the Palo: